90. DOI : 10.1109/JPROC.2011.2165270

4.3 Logical Formulas for Hybrid Programs

Expedition 4.2 (Invariant contracts for CPS)

In addition to preconditions and postconditions, loop invariants play a promi- nent rôle in contracts for conventional imperative programs, because they con- stitute the major logical mode for understanding loops. Preconditions state what is expected to hold before the program runs. Postconditions state what is guar- anteed to hold after the program runs. And loop invariants indicate what is true every time a loop body executes, so before and after every run of the loop body.

In C-style programs, for example, invariants are associated with loops:

i = 0;

while (i < 10)

// loop_invariant(0 <= i && i <= 10) {

i++;

}

Dijkstra’s algorithm for computing the greatest common divisor ofa andb needs a loop invariant and a precondition, asgcd(5,0)would not terminate:

// requires(x!=0 && y!=0) x=a; y=b; u=b; v=a;

while (x!=y)

// loop_invariant(2*a*b == u*x + v*y) {

if (x>y) { x=x-y; v=v+u;

} else {

y=y-x; u=u+v;

} }

Such loop invariants will also play an equally important rôle in CPS (Chap.7), but they first require additional developments to become meaningful.

4.3 Logical Formulas for Hybrid Programs

CPS contracts play a very useful rôle in the development of CPS programs or, in fact, any other CPS models. Using them as part of their design right from the very beginning is a good idea, probably much more crucial than it is when developing conventional programs, because CPSs have more stringent requirements on safety.

However, we do not only want to program CPSs, we also want to and will have to understand thoroughly what CPS programs and their contracts mean, and how we convince ourselves that the CPS contracts are respected by the CPS program. This is where mere contracts are at a disadvantage compared to the full features of logic.

108 4 Safety & Contracts Note 19 (Logic is for specification and reasoning)Logic allows not only the specification of a whole CPS program, but also an analytic inspection of its parts as well as argumentative relations between contracts and program parts.

Logic was invented for precise statements, justifications, and ways of system- atizing rational human thought and mathematical reasoning [6,8–13,16,37,38].

Logic saw influential generalizations to enable precise statements and reasoning about conventional discrete programs [5,14,34], and other aspects, including modes of truth such as necessity and possibility [15] or temporal relations of truth [33,35].

What cyber-physical systems need, though, is, instead, a logic for precise state- ments and reasoning about their dynamical systems. So CPSs need logics of dynam- ical systems [25,29], of which the most fundamental representative isdifferential dynamic logic(dL) [20–22,25,26,30], the logic of hybrid systems. Differential dy- namic logic allows direct logical statements about hybrid programs and, thus, serves as the logic of CPS programs in PartsIandIIof this textbook for both specification and verification purposes, and still forms the basis for PartsIIIandIV. Additional multi-dynamical systems aspects beyond hybrid systems are discussed elsewhere [23–25,28,29,31], some of which will be picked up in PartIIIof this textbook.

The most important feature of differential dynamic logic for our purposes is that it allows us to refer to hybrid systems. Chapter2introduced first-order logic of real arithmetic, which was used to describe evolution domain constraints of differential equations, and made it possible to refer to conjunctions or disjunctions of compar- isons of (polynomial) terms with quantifiers over real-valued variables.

Note 20 (Limits of first-order logic for CPS)First-order logic of real arith- metic is a crucial basis for describing what is true and false about CPSs, be- cause it allows us to refer to real-valued quantities such as positions and ve- locities and their arithmetic relations. Yet, that is not quite enough, because first-order logic describes what is true in a single state of a system. It has no way of referring to what will be true in future states of a CPS, nor of describ- ing the relationship of the initial state of the CPS to the final state of the CPS.

Without such a capability, it is impossible to refer to what preconditions were true before the CPS started and how this relates to what postconditions are true afterwards.

Recall from Sect.3.3.2that the relation[[α]]⊆S×Sis what ultimately consti- tutes the semantics of HPα. It defines which new stateν∈S is reachable from which initial stateω∈Sin HPα, in which case we write(ω,ν)∈[[α]].

Note 21 (Differential dynamic logic principle) Differential dynamic logic, which is denoteddL, extends first-order logic of real arithmetic with operators that refer to the future states of a CPS, that is to the states that are reachable by running a given HP. The logicdLprovides a modal operator[α], parametrized by HP α, which refers to all states reachable by this HPα according to the reachability relation[[α]]⊆S×Sof its semantics. For any HPα, this modal

4.3 Logical Formulas for Hybrid Programs 109 operator [α] can be placed in front of any dL formula P. The resulting dL formula

[α]P

expresses thatallstates reachable by HPα satisfy formulaP.

The logicdLalso provides another modal operatorhαi, parametrized by HP α, that can be placed in front of anydLformulaP. ThedLformula

hαiP

expresses thatthere is at least onestate reachable by HPαfor whichPholds.

The modalities[α]andhαican be used to express necessary or possible prop- erties of the transition behavior ofα, since they refer to all or some runs ofα.

The formula[α]Pis pronounced “αboxP” andhαiPis “αdiamondP.”

With the help ofdL’s modalities, anensures(E)postcondition for an HPα can be expressed directly as a logical formula in differential dynamic logic:

[α]E

In particular, the first CPS postconditionensures(0≤x)for the bouncing ball HP in (4.8) can be stated as adLformula:

[ {x⁰=v,v⁰=−g&x≥0}; if(x=0)v:=−cv_∗

]0≤x (4.10) The second CPS postconditionensures(x≤H)for the bouncing ball HP in (4.8) can be stated as adLformula as well:

[ {x⁰=v,v⁰=−g&x≥0}; if(x=0)v:=−cv∗]x≤H (4.11) The logicdLallows all other logical operators from first-order logic, including con- junction (∧). So, the twodLformulas (4.10) and (4.11) can be stated together as a singledLformula consisting of the logical conjunction of (4.10) and (4.11):

[ {x⁰=v,v⁰=−g&x≥0};if(x=0)v:=−cv∗]0≤x

∧[ {x⁰=v,v⁰=−g&x≥0};if(x=0)v:=−cv_∗

]x≤H (4.12) Stepping back, we could have combined the two postconditionsensures(0≤x) andensures(x≤H) into a single postconditionensures(0≤x∧x≤H)using a conjunction in the postcondition instead. The translation of that intodLwould have gotten us an alternative way of combining both statements about the lower and upper bound on the height of the bouncing ball into a singledLformula:

[ {x⁰=v,v⁰=−g&x≥0};if(x=0)v:=−cv_∗

] (0≤x∧x≤H) (4.13) Which way of representing what we expect bouncing balls to do is better? Like (4.12) or like (4.13)? Are they equivalent? Or do they express different things?

110 4 Safety & Contracts Before you read on, see if you can find the answer for yourself.

There is a very simple argument within the logicdLthat shows thatdLformulas (4.12) and (4.13) are equivalent. It even shows that the same equivalence holds not just for these particular formulas but for anydLformulas of the same form:

[α]P∧[α]Qis equivalent to[α](P∧Q) (4.14) The equivalence of[α]P∧[α]Qand[α](P∧Q)can in turn be expressed as a logical formula with the equivalence operator (↔) giving a formula that is true in all states:

[α]P∧[α]Q↔[α](P∧Q)

This equivalence will be investigated in more detail in a later chapter, but it is useful to observe it now already in order to sharpen our intuition aboutdLand anticipate possible use cases for its flexibility.

Having said that, do we believedLformula (4.12) should be valid so true in all states? Should (4.13) be valid? Well, they should certainly either agree to both be valid or agree to both not be valid since they are equivalent by (4.14). But is (4.12) valid now or is it not? Before we study this question in any further detail, the first question should be what it means for a modal formula[α]Pto be true. What is its semantics? Better yet, what exactly is its syntax in the first place?